export function requireAuth(req, res, next) {
  if (!req.session.user) {
    return res.redirect('/auth/login');
  }
  next();
}

export function requireRole(...roles) {
  return function (req, res, next) {
    if (!req.session.user) {
      return res.redirect('/auth/login');
    }
    if (!roles.includes(req.session.user.role)) {
      return res.status(403).render('error', { message: '无权访问该功能' });
    }
    next();
  };
}


